ALIASES:

Trojan:Win32/DefenseEvasion!rfn (Microsoft); RDN/Generic.dx (McAfee); Trojan.Win32.Bsymem.mww (Kaspersky); Trojan.Win32.Generic!BT (Sunbelt)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 519,680 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 10 Mar 2020

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This Trojan adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
4E564B9FBCE8F496FFF51278CCD14EE17F09A1CE
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
F75019695C0504E3ABEFEDCD8FBE500DA08EC8FA
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
58939B78BC28EF464220127BB754E3D130306988
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
8887AF2636E0D3B763AC4D56729218AF89653CA4
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
328E73F58737F1AB8DB0DA98FECFA17EB7BFAA40
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
8B6DD299C6E4092040E98EB773F3818DF50B038D
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
A5341949ABE1407DD7BF7DFE75460D9608FBC309
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
D70D7D00CA12E1B3E20F3BF7534DEB2C2E7C2404
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
E27AA5FFDCA62A60E435292A243D0C6D43DCC513
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
4E393AA1586C93E0BC9E7FEBCF7BFB62066DC22A
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
BDEEFEC5F002E281B2292A8C72EACA468CBF9952
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
F83099622B4A9F72CB5081F742164AD1B8D048C9
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
8DC9FE53D5F1D7D558EBE131E922730780D88865
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
0A0CF21F2AD2796FCC1309F2993659FC9F4BBFB9
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
5AACB6A43D9D806E6963937BE702B7A43C1978AE
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
B7E607E1FB8943C634580F621788C01C962E8280
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
AA8399A239AE1785200917D32C21F6B662477BE4
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
3C92C9274AB6D3DD520B13029A2490C4A1D98BC0
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
BF9254919794C1075EA027889C5D304F1121C653
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
816BE9397F66D1A26EFA04035BCA3BB9E3779740
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
DBFAD9D59A6A07DCEB004DBE2DC246B547249E86
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
775B373B33B9D15B58BC02B184704332B97C3CAF
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
88AD5DFE24126872B33175D1778687B642323ACF
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
1B581436B0ED7536755B8B1C81112509A5AAF6ED
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
9A32249E9A6B9CF5C36B0749C81613524D37C594
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
AEEA60E86C66327BFBB8492C33122687AB2B5D91
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
BE894F99B870DA5FCA623F7F4A85D3970A46CDE1
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
31AC96A6C17C425222C46D55C3CCA6BA12E54DAF
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
1518752920E9221E1FE1728AACAC536728B37BA7
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
7450C07722C75E711EF24209A22F0C5C6A5BEC4E
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
5DE56B2BAAA995F447949B869356528F91230A49
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
78C55D604474B534EB2B565CAD312FC7D71FE9DE
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
E4A0C1054F8025DD88EE5053094A9A61661AE123
Blob = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = "1"

This report is generated via an automated analysis system.

  SOLUTION

Minimum Scan Engine: 9.850

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4E564B9FBCE8F496FFF51278CCD14EE17F09A1CE
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F75019695C0504E3ABEFEDCD8FBE500DA08EC8FA
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\58939B78BC28EF464220127BB754E3D130306988
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8887AF2636E0D3B763AC4D56729218AF89653CA4
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\328E73F58737F1AB8DB0DA98FECFA17EB7BFAA40
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8B6DD299C6E4092040E98EB773F3818DF50B038D
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A5341949ABE1407DD7BF7DFE75460D9608FBC309
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D70D7D00CA12E1B3E20F3BF7534DEB2C2E7C2404
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E27AA5FFDCA62A60E435292A243D0C6D43DCC513
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4E393AA1586C93E0BC9E7FEBCF7BFB62066DC22A
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\BDEEFEC5F002E281B2292A8C72EACA468CBF9952
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F83099622B4A9F72CB5081F742164AD1B8D048C9
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\8DC9FE53D5F1D7D558EBE131E922730780D88865
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\0A0CF21F2AD2796FCC1309F2993659FC9F4BBFB9
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5AACB6A43D9D806E6963937BE702B7A43C1978AE
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B7E607E1FB8943C634580F621788C01C962E8280
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AA8399A239AE1785200917D32C21F6B662477BE4
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3C92C9274AB6D3DD520B13029A2490C4A1D98BC0
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\BF9254919794C1075EA027889C5D304F1121C653
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\816BE9397F66D1A26EFA04035BCA3BB9E3779740
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DBFAD9D59A6A07DCEB004DBE2DC246B547249E86
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\775B373B33B9D15B58BC02B184704332B97C3CAF
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\88AD5DFE24126872B33175D1778687B642323ACF
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1B581436B0ED7536755B8B1C81112509A5AAF6ED
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9A32249E9A6B9CF5C36B0749C81613524D37C594
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AEEA60E86C66327BFBB8492C33122687AB2B5D91
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\BE894F99B870DA5FCA623F7F4A85D3970A46CDE1
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\31AC96A6C17C425222C46D55C3CCA6BA12E54DAF
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1518752920E9221E1FE1728AACAC536728B37BA7
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7450C07722C75E711EF24209A22F0C5C6A5BEC4E
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DE56B2BAAA995F447949B869356528F91230A49
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\78C55D604474B534EB2B565CAD312FC7D71FE9DE
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E4A0C1054F8025DD88EE5053094A9A61661AE123
    • Blob = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
    • DisableAntiSpyware = "1"

Step 3

Scan your computer with your Trend Micro product to delete files detected as Trojan.Win32.BSYMEM.AB. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.